From web vulnerabilities to email risks and other data leaks, security has never been higher on the agenda. Steve Evans looks at the latest threat landscape and what technologies and best practices are doing to help
What were you doing on 24 March this year? Remember anything special happening? It was a Wednesday in the run up to a general election, and Alistair Darling delivered what proved to be his final budget, offending cider drinkers all over the UK by raising duty on the drink by 10%.
There was also another event happening on the other side of the planet, one that could have far reaching repercussions across the business world. A DNS administrator in Chile noticed that requests to sites such as Twitter and Facebook and many more were not being routed to their .com addresses. Instead, they were being redirected to .cn addresses; addresses behind the Great Firewall of China, a strictly-controlled environment the Chinese government uses to determine what information its citizens can access online.
Users attempting to access affected sites were met with either an error message or saw what surfers within China normally see. While this may not sound like a huge issue, and it's not been revealed whether it was done accidentally or not, Rodney Joffe, senior technologist at DNS service provider Neustar, called it a "real world example of the Net security industry's worst nightmare".
Joffe, described by Forbes as "one of the few people on the planet who knows how the Internet really works", tells CBR that the implications could be disastrous for businesses. "If your traffic went through China without you knowing a number of things could have happened: your credentials could have been logged and your data could have been intercepted and modified by a competitor. If you tell a CIO that, they would be greatly concerned. This is happening today, it's just that almost no one is aware of it."
More worryingly, "The routing issue is a weakness in the protocol," Joffe adds. "There is almost nothing that companies can do. They are used to dealing with intrusions, and malware on the system, but the game is different now; the network is used as the mechanism to compromise and almost no company is in a position to know what is going on on the Internet."
From fame to fortune
That might seem like one extreme example of how the threat landscape is changing for businesses but it is indicative of a shift that companies will need to adapt to. Hacking is no longer about breaching a company's system for the notoriety; it's now a highly sophisticated, well-funded industry intent on stealing valuable data.
"Eight out of 10 attacks now come through the web, and 98% of those have keylogging functionality, they are stealing data" says Tim Warner, VP of sales at M86 Security. "The image of Matthew Broderick in WarGames is not what happens any more. It is organised crime and they are trying to make money out of it and the way they do that is by stealing data. So most of it today is not the traditional viruses or worms we saw before."
"The [security] industry has talked about the shift from fame to fortune over the last few years in the criminal underground," says Dan Hubbard, chief technology officer at Websense, adding that this change, along with other developing threats, is catching the security industry out.
"Unfortunately things move a heck of a lot faster than standards do," he says. "If you look at handhelds, cloud computing and Web 2.0, these things are rolling over in three to six months, so forget standards. Remember GeoCities? Remember MySpace? Things can move really fast and it's hard to introduce standards. You also have to remember that most people who get hacked are compliant to the latest standards."
Hubbard adds that a lot of the technology used in the security industry is not designed for the new threats that are emerging. So what can businesses do to help protect their infrastructure? Many, it seems, are throwing money at the problem. A recent report by Forrester Research said that around 40% of businesses will increase their spending on new IT security technologies in 2010, with network security seeing the greatest spending increase and data security being the largest budget item for organisations.
Gartner, too, predicted that spending in this space would rise. The analyst firm reckons that security software budgets will grow 4% during 2010, with security services budgets growing by almost 3%. The company also warned that emerging threats could impact security budgets. "Businesses should recognise that new threats or vulnerabilities may require security spending that exceeds the amounts allocated, and should consider setting aside up to 15% of the IT security budget to address the potential risks and impact of such unforeseen issues," said Ruggero Contu, principal research analyst at Gartner.
Hubbard believes that smarter spending is key to improved security: "Customers are thinking: Are the products addressing exactly what I need them to address? Can I consolidate some of them into three or four instead of 12 or 15? Can I just get rid of some of them?" he says.
This is something Jon Collins, MD and CEO of analyst house Freeform Dynamics agrees with. "It's about how we buy stuff and how we try to solve problems. It's human nature to solve problems more tactically than necessary. It stands to reason that the simpler security products - like antivirus and firewalls - are more prevalent, but it's the tougher stuff that fewer organisations have implemented. That's because they are harder to understand, buy and get a business case for. The end result is that we don't have integrated security infrastructures and comprehensively respond to threats."
While businesses and the security industry rush to keep up with new threats, they shouldn't take their eye off traditional vulnerabilities. Email security is clearly mission critical for many, if not all, enterprises and is used to send lots of sensitive data, whether it's work-related information or not. It is also often sent in an unsecured manner; the S in SMTP, the protocol used in sending and receiving e-mail, stands for simple.
"Along with inbound threats such as spam, phishing attacks and viruses companies are increasingly faced with having to control what leaves their organisation via email. With industry regulation and legislation companies now have to take steps to ensure their employees are not accidentally or maliciously leaking material," says Ed Rowley, product manager at M86. The ICO can now fine companies up to £500,000 for data leaks, so the issue has never been higher in not only the IT department but right up to C-level, highlighting the fact that security is a business-wide issue, Rowley adds.
While the introduction of fines is a positive step, Rik Ferguson, senior security advisor at Trend Micro, believes that the measures don't go far enough. "Stronger legislation and punishment will help; people I speak to literally don't care about the Data Protection Act because the consequences of falling foul of it are not massive and are easily recoverable from," he told CBR recently. "We don't have a data breach disclosure law so if you do lose some you don't have to tell anyone. Increasing the public responsibility of organisations for private data will increase the attention they pay to keeping that data secure."
Ferguson expects the threat landscape to change over the next few years - citing handheld devices such as smartphones, netbooks and iPads being used in the workplace but not managed by the business as a potential security nightmare - but he adds that traditional security threats will always be around.
"There's a lot of money to be made; it's not just the people stealing the information, it's the ecosystem around it: the niche vendors, the exploit kit vendors, the command and control vendors, the information vendors and purchasers," he says. "It's so mature now that the threat that comes from the ecosystem isn't going to go away. In many cases we give them so much low hanging fruit to take advantage of, why should they bother changing their methodology?"